Kat Traxler

Abstract:

Introducing the DeRF (Detection Replay Framework), a tool which hosts attack techniques and supports the invocation of those attacks across cloud environments. What sets DeRF apart from other cloud attack tools?

- User-Friendly Interface: Since the DeRF is hosted in Google Cloud, End Users can invoke attacks through the cloud console UI without the need to install software or use the CLI.
- Accessibility for Non-Security Professionals: The DeRF caters to a broad… Show more

Abstract:

Introducing the DeRF (Detection Replay Framework), a tool which hosts attack techniques and supports the invocation of those attacks across cloud environments. What sets DeRF apart from other cloud attack tools?

- User-Friendly Interface: Since the DeRF is hosted in Google Cloud, End Users can invoke attacks through the cloud console UI without the need to install software or use the CLI.
- Accessibility for Non-Security Professionals: The DeRF caters to a broad audience of End Users, including Engineering, Sales, Support Staff or automated processes.
- Robust OpSec: Long-Lived Credentials are not passed between operators, instead access to the DeRF and its attack techniques are controlled through GCP IAM Role-Based Access Control (RBAC)
- Extensibility at its Core: Attack sequences are written in YAML, enabling easy configuration of new techniques.
- Turn-Key deployment: Deploying (and destroying!) the DeRF is a fully automated process, completed in under 3 minutes.

During this demo, we will guide you through the straightforward and automated deployment process for the DeRF. We'll demonstrate how to invoke pre-configured attack techniques and illustrate how you can customize the framework to align with your internal attacker profile. By deploying the DeRF within your organization you can easily spin up attacker simulations, to augment training or automate the testing of detection capabilities. Show less

Before Google Cloud released Cloud IAM there was only Primitive Roles. Prior to 2016, the course-grained Roles, Owner, Editor and Viewer were the only mechanisms available to grant access to GCP resources.

Primitive Roles are the antithesis to least privilege but more specifically, they’re mere existence significantly impacts the security posture of a GCP Project. Four years after the release of Cloud IAM, despite the availability of fine-grained Roles, Primitive Roles are still… Show more

Before Google Cloud released Cloud IAM there was only Primitive Roles. Prior to 2016, the course-grained Roles, Owner, Editor and Viewer were the only mechanisms available to grant access to GCP resources.

Primitive Roles are the antithesis to least privilege but more specifically, they’re mere existence significantly impacts the security posture of a GCP Project. Four years after the release of Cloud IAM, despite the availability of fine-grained Roles, Primitive Roles are still pervasive in GCP. Is it possible to eradicate Primitive Roles from your GCP Organization and still use the Platform? Show less

Overview
The power of Impersonation is a deeply rooted concept in GCP and GKE. The ability for one member to Impersonate another is a foundational capability; it will and should be leveraged as your cloud maturity grows. But how does your Organization securely enable Impersonation without leaving behind a 'Happy Path' for Attackers?

In this talk I will show you how an attacker could abuse permissions with Transitive properties to escalate their permissions in GCP starting from initial… Show more

Overview
The power of Impersonation is a deeply rooted concept in GCP and GKE. The ability for one member to Impersonate another is a foundational capability; it will and should be leveraged as your cloud maturity grows. But how does your Organization securely enable Impersonation without leaving behind a 'Happy Path' for Attackers?

In this talk I will show you how an attacker could abuse permissions with Transitive properties to escalate their permissions in GCP starting from initial compromise to Project Admin. I'll also talk about some 'Red Flag' permissions fueling privilege escalation and how to securely handle when there is a use case for them. Show less

Security Professionals are comfortable reasoning about the security posture of systems within the framework of the OSI model. We classify attacks as network based or application based each with their own set of understood preconditions or rules.

Enter 'The Cloud' or I as like to think about it, platforms in other peoples datacenters. The Cloud API Platforms are used by a new bread of operations teams to define network or application systems in code. Its on the Cloud API Platform that… Show more

Security Professionals are comfortable reasoning about the security posture of systems within the framework of the OSI model. We classify attacks as network based or application based each with their own set of understood preconditions or rules.

Enter 'The Cloud' or I as like to think about it, platforms in other peoples datacenters. The Cloud API Platforms are used by a new bread of operations teams to define network or application systems in code. Its on the Cloud API Platform that a new attack surface has opened and it plays by none of the old rules. Show less

In order to achieve end-to-end encryption, build zero-knowledge systems, and provide users with the convenience they are accustomed to, Web 2.0 is pushing cryptography to your browser. From secure e-mail to credit card transactions, our security is increasingly dependent on the integrity of client side javascript. The opportunities for exploit are many but with every new vulnerability has come a potential mitigation, all in an attempt to strong arm these sensitive operations into the browser… Show more

In order to achieve end-to-end encryption, build zero-knowledge systems, and provide users with the convenience they are accustomed to, Web 2.0 is pushing cryptography to your browser. From secure e-mail to credit card transactions, our security is increasingly dependent on the integrity of client side javascript. The opportunities for exploit are many but with every new vulnerability has come a potential mitigation, all in an attempt to strong arm these sensitive operations into the browser, limit an applications liability, and keep us users happy. In my presentation, we will look at the fundamental nature of javascript, web browsers, and conclude what level of protection, in the best of circumstances, JavasCrypto affords the end user. Show less